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Remarks 

Claims 1-6 and 8-19 are pending in this application. The Office Action states that 
claims 9-13 and 19 are allowed and claim 8 contains allowable subject matter. By this 
Amendment, claims 1, 3-6, 9 and 14-19 are amended. 

Applicant appreciates the courtesies shown to Applicant's representative by Examiners 
Nobahar and Barron in the March 24 personal interview. Applicant's separate record of the 
substance of the interview is incorporated into the following remarks. Specifically, claims 1, 
3, 4-6 and 14-18 are amended to comply with the Examiners' helpful suggestions made during 
the interview. 

Reconsideration based on the above amendments and following remarks is 
respectfully requested. 
I. Specification 

The Office Action states that a substitute specification in proper idiomatic English 
and in compliance with 37 C.F.R. § 1 .52(a) and (b) is required. Applicant has provided the 
required substitute specification and respectfully submits that the Specification is in 
compliance with 37 C.F.R. § 1.52(a) and (b). No new matter is added in the Substitute 
Specification. 

Applicant respectfully submits that the terms identified by the Examiners during the 
interview are clearly described in the specification. In particular, Applicant respectfully 
submits that the following definitions of the following terms identified in the February 3 
Office Action are clear from the specification as a whole: 

1) encryption target data is data or information that has been encrypted and is part of 
the lock data; 

2) signature target data also is data or information that has been encrypted and part of 
the lock data on which a signature to be verified by use of the public key is to be written; 
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3) encryption target data is data that is intended to be encrypted; 

4) target range is a range of data that is intended to be encrypted; 

5) target data is the encrypted target range; 

6) judgment target is the individual lock that is being judged; and 

7) signature target is the signature being validated. 
IL Claim Rejection Under 35 USC §112 

The Office Action rejects Claims 3, 16 and 17 under 35 U.S.C. §112, second 
paragraph, as being indefinite. This rejection is overcome by the amendments to these 
claims. 

Withdrawal of the rejection of claims 3, 16 and 17 is respectfully requested. 

IV. Claim Rejection Under 35 USC §102 

Claims 1-6, 14-16 and 18 are rejected under 35 U.S.C. §102(e) as being unpatentable 
over U.S. Patent No. 6,1 18,874 to Okamoto et al. (Okamoto). This rejection is respectfully 
traversed. 

As discussed at the March 24 personal interview, it is respectfully submitted that 
Okamoto fails to disclose or suggest all of the features recited in claims 1-6, 14-16 and 18. 
Specifically, Okamoto fails to disclose or suggest the feature of an encrypted private key as 
recited in claims 1-6 and 14-16 and 18. The encrypted private key is formed by encrypting 
the group private key with the common key. 

As discussed in the personal interview and stated in the Interview Summary, 
Examiners Nobahar and Barron agreed that Okamoto does not disclose or suggest an 
encrypted private key as recited in claims 1, 3-6 and 14-18. Okamoto merely discloses a 
public key that is used to encrypt a common key. 
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Claims 1, 3-6 and 14-18 are amended to more clearly recite this feature and to 
distinguish the group public keys and group private keys from the group member public keys 
and group member private keys. 

Regarding claim 6, it respectfully submitted that Okamoto fails to disclose or suggest 
all of the features recited in claim 6. Specifically, Okamoto fails to disclose or suggest the 
feature of encrypting a modified group private key by use of a common key to generate an 
encrypted modified private key as recited in claim 6. 

It is respectfully submitted that since claim 2 depends from claim 1, claim 2 is 
allowable at least for the same reasons as claim 1 . 

It is respectfully submitted that since claim 8 depends from claim 5, claim 8 is 
allowable at least for the same reasons as claim 5. 

Withdrawal of the rejection of claims 1-6, 14-16 and 18 is respectfully requested. 
VI. Conclusion 

In view of the foregoing, Applicant respectfully submits that this application is in 
condition for allowance. Favorable reconsideration and prompt allowance of claims 1-6 and 
8-19 are earnestly solicited. 
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Should the Examiner believe that anything further would be desirable in order to place 
this application in even better condition for allowance, the Examiner is invited to contact 
Applicant's undersigned representative at the telephone number listed below. 
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David E. Brown 
Registration No. 51,091 



Oliff & Berridge, plc 
P.O. Box 19928 
Alexandria, Virginia 22320 
Telephone: (703) 836-6400 
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METHOD F*(3r GROUP UNIT ENCRYPTION/DECRYPTION, AND METHOD AND 
APPARATUS FOR WRITING SIGNATURE 



BACKGROUND OF THE INVENTION 

1. Field of Invention 

[0001] This invention relates to a public key cryptography technology, and more 
particularly relates to a system for allowing only an arbitrary member in a group to decrypt 
and write the-a_signature by use of a group key which is allowed to be used by only the group 
member. 

2. Description of Related Art 

[0002] A_Cryptography system eaUed referred to as apublic key cryptography 
system is disclosed in U.S. Patent No. 4,200,770. In the public key cryptography system, a 
public key is used for encrypting a plain text and a private key is used for decrypting a 
cryptography text back to a the plain text. The public key and the private key are different 
from each other. The public key may be disclosed to the public and therefore, bteraHy te-be 
known by the public. On the other hand, in the conventional cryptography system systems 
(referred alternatively to as aprivate key cryptography system, asymmetric key cryptography 
system, an d or a conventional cryptography system), since the same key has been isused for 
encryption and decryption, nnd how tn r.ocuro the maintaining confidentiality has been thea 
most serious problem: problem. However, h owever in this_a public key cryptography system, 
maintaining the confidentiality of an encryption key is not necessary needless. In the case that 
the number of persons who communicat e s communicate encrypted documents is n, n x (n- 
1) -h 2 keys are necessary for the conventional cryptography encryption decryption common 
key system, but only n keys are necessary for the public key cryptography system, this is the 
advantage of the public key cryptography system. In addition, the public key cryptography 
system is advantageous in that the same frame can be used in writing the signature of each 
person, namely encryption processing by each person by use of the private key. For example, 
a cryptography communication member P having the private key A converts a communication 
document X by use of the private key A, and sends the converted document Y and the 
communication document X to another member Q, then the member Q converts the converted 
document Y by use of the public key B of the member P and can confirm that it is surely the 
document that is sent by the member P if the conversion result of Y is identical with X. As 
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described h e r e in above, the public key cryptography system is advantageous in several points, 
whieh has several advantageous over the conventional cryptography system does not havo . 

[0003] Japanese Published Unexamined Patent Application No. Hei 7-2978 1 8 
discloses the structure of allocation of the public key and the private key to a group. This 
system is based on the assumption that a group private key is embedded in a physical 
substanc e substance, such as a eard card, and a group member is carrying this card 
consistentl y always has the card in his or her possession . The problems associated with 
management of the key ir . rnnlig a ri Vinnnd on the physical substance that is such as when the 
card is_separated from the ev e rlasting existence namely_an individual , are alleviated by 
structuring the cryptography system of the above-mentioned private key and public key using 
the substance namely the card. 

[0004] In the public key cryptography system, the ev e rlasting e xistence such as an 
individual is set established as an independent unit. Therefore, the public key cryptography 
system cannot function efficiently faHy in the case that it is necessary to sot , for example, 
that it is necessary to establish a plurality of members^ ether rather than an individual^ as a 
single unit. Further, the system in which a card as described h e r e in above is used-4s further 
disadvantageous disadvantaged in thnt n hardware namely a because the card must be used 
inevitably, a card itself must be,and manag e d, managed, and the verification Verification of a 
card holder is problematic when the card holder miss e s th e card is not available due to loss or 
theft, in other word, because it is difficult to verify the card holder in due course. 

[0005] For mc ample. A cooperative working unit may consist of an organization 
such as a department, a section, and a company unit, in a company is a cooperative working 
unit, and also an independent organization which is independent from hierarchical 
organizations such as a task force consisting of a plurality of individuals individuals, is-a 
cooperative working unit. Thn confidentialit y Confidentiality should be maintained betw ee n 
the inside and the outside ofvvdthin a cooperative working unit, but on the other hand-hand, 
the information should be common amon g available to individual members in the inside 
within the cooperative working unit . A cryptography system which allows an arbitrary 
member of the cooperative working unit to decrypt or write a signature on the common 
information is required. 

[0006] Further, in some occasion occasions when a member of the cooperative 
working unit is required to change, for example, to add or to delete the information, therefor e 
the cryptography system should be allowable for a member to operate easily for facilitate such 



changin g a change . Furth e r, to talco a part of th e Regarding a position such as an efSeer 
officer, l ik e for example a chief of personnel departm e n t in a company as in a coop e rative 
working unit , it is required that specific and continuous confidentiality corresponding to the 
rele position should be maintained independently of a specific individual who takes a part of 
tho role at some timo point is acting in a particular capacity in the form which io acceptable of 
the change regardless of the individual who tak e s a part of the rol e assuming the position . 

[0007] The present invention provides a cryptography system for solving the above- 
mentioned problem. It is an object of the present invention to provide a cryptography system 
in which a public key cryptography system can be used in group units, each of which is a 
group consisting of components of individuals and groups instead of individual units so that 
members who belong to a specific group can decrypt the cryptography. 

[0008] Further it is another ebfeet -obiective of the present invention to provide a 
signature system which enables an arbitrary member who belongs a specific group group, to 
write a signature and to verify that a signature on a signed document is the signature written 
by a member who belongs to the specific group. 

SUMMARY OF THE INVENTION 
[0009] According to the present invention, to achieve the above-mentioned obj e ct, 
objectives, m a method for encryption executes, a step ferof storing a group public key, an 
encrypted private key formed by encrypting a group p rivate key corresponding to the group 
public key by use of a common key, and lock data which includes a plurality of encrypted 
common keys generated by encrypting the common key by use of respective public keys of 
the group member, and a step ferof encrypting encryption target data by use of the public key 
of the lock dat a data, aro executed. 

[0010] In this structure, because the lock data includes the oncrypting^ group public 
key, the cryptogram which is formed by encrypting the corresponding group private key by 
use of the common key, and the cryptogram formed by encrypting the above-mentioned 
common key by use of the public keys of the g roup members, a group member can acquire 
the common key by use of the private key of the member itself and further decrypt it by use of 
the common key to acquire the group p rivate key to be used for decrypting the cryptogram. 
As described herein abov e, by encrypting the information by use of the public key of the lock 
data, it is possible to transmit the information without leakage of the information outside of 
the group, to th e outside of tho group/m e mb e r. 
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[0011] In this structure, the above-mentioned encryption target data is used for 
decrypting the encrypted information. For example, so call e d adecryption cryptography 
scheme is realized using this the common key as the decryption key^ _ ao a common key. In 
other words, the common key which has been encrypted by means of the public key 
cryptography system using the lock data -data, is sent to a group member, and the group 
member decrypts the encrypted common key by use of the lock data. Furth e r Further, the 
cryptogram encrypted by use of the common key is decrypted by use of the decrypted 
common key. 

[0012] Further, according to the present invention, to achieve the above-mentioned 
object, objective, in the method for decrypting a cryptogram, executes a step fer_of storing a 
public key, an encrypted private key formed by encrypting a private key corresponding to the 
public key by use of a common key, and lock data which includes a plurality of encrypted 
common keys generated by encrypting the common key by use of respective public keys of 
the group members; a^step fe? of decrypting one of the encrypted common keys included in 
the lock data by use of the private key corresponding to the group/member to generate the 
common keyr -key; a step for of decrypting the encrypted private key included in the lock data 
data, b y use of the decrypted common key to generate the private kevr- kev; a step ferof 
acquiring encryption target data encrypted by use of the public key, and a step ferof 
decrypting the encrypted encryption target data by use of the decrypted private ke^ -key. are 
execut e d. 

[0013] In this structure, a group/m e mb e r group member can acquire the private key 
of the lock data as in the case described herein-above. An arbitrary member can easily 
decrypt a cryptogram encrypted by use of the public key of the lock data. On the other hand, 
any one who is not a member cannot decrypt the cryptogram. 

[0014] Further, according to the present invention, to achieve the above-mentioned 
ebfee^ -obiective, i n a method for writing a signature, executes a step ferof storing a public 
key, an encrypted private key formed by encrypting a private key corresponding to the public 
key by use of a common key, and lock data which includes a plurality of encrypted common 
keys generated by encrypting the common key by use of respective public keys of the 
group/membe r group member; a step fer of decrypting one of the encrypted common keys 
included in the lock data by use of the private key corresponding to the group/member to 
generate the common kevr -kev; a step for of decrypting the encrypted private key included in 
the lock data by use of the decrypted common key to generate the private kevr- kev; a step fer 
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of storing and acquiring signature target data on which a signature to be verified by use of the 
public key is to be written, and a step f&fof writing a signature on the signature target data by 
use of the decrypted private key- key, are e x e cut e d. 

[0015] In this structure, because only the group/m e mb e r group member can acquire 
the private key corresponding to the public key of the lock data as in the case described heroin 
above, the data is verified by use of the private key to thereby write a signature of a 
group/memb e r group member . A member who acquires the data with a signature can verify 
the signature by use of the public key of the lock data. 

[0016] Further, according to the present invention, to achieve the above-mentioned 
object, in the method for generating lock datav executes a step ferof acquiring a pair of a 
public key and a_private kevr -key; a step fer_of acquiring a common kev ^kev; a step fer_of 
encrypting the private key by use of the common key to generate an encrypted private key; 
key; a step fe* of encrypting the common key by use of public keys of respective 
group/momb e rs group member to generate corresponding encrypted common keyrke y; a step 
fefof combining the public keys, the encrypted private kev^ key; and the encrypted common 
keys to generate lock dat a data, arc execut e d. 

[0017] In this structure, because the lock data includes the cryptogram of the private 
key of the lock data encrypted by use of the public keys of the group/m e mb e rs group member , 
only the group/m e mb e r group member can decrypt a cryptogram and write a signature. 

[0018] In this structure, the above-mentioned private key is modified by use of a 
function (including an inverse function) w hich is not a one-directional function (including an 
inverse function), and the modified private key is encrypted by use of the common key for 
holding. 

[0019] Further, a function for generating seed may be used when the common key is 
encrypted by use of the public key of the group/m e mb e r group member . In detail, the public 
key of the group/memb e r group member is calculated by use of a desired function such as 
hash function, and the combination of the value of this hash function and the above- 
mentioned common key (desired calculation, bit catenation) is encrypted by use of the public 
key of the group/m e mb e r group member . Because a seed-different seed for each public key of 
each group/m e mb e r group member is added and the encryption target is varied, no hint is 
given, even though a plurality of cryptograms are available. 

[0020] Further in this structure, a group/m e mb e r group member may be any one of 
an individual, a group of individuals, an organization, and a position in an organization. 



[0021] The above-mentioned lock data may be managed in unit of the above- 
mentioned lock data. A user can use a plurality of lock data as if the plurality of the lock data 
ware-were a bundle of locks. The above-mentioned lock data may be stored in a server to 
which clients can access. 

[0022] The above-mentioned lock data may be structured so as to include a public 
key for verifying a signature signature; an encrypted signature private key which is formed by 
encrypting a signature private key for writing the signature by use of a public key of a 
changing right heldeF^ holder; and a signature written by use of the signature private key on 
desired data included in the lock data. 

[0023] Further, according to the present invention, ift the method for changing lock 
data: executes a step fefof storing lock data including a first public key, an encrypted private 
key formed by encrypting a private key corresponding to the first public key by use of a 
common kevr -kev; a plurality of encrypted common keys formed by encrypting the common 
key by use of public keys of respective grnnp/momhoro. group members; a second public key 
for verifying a signature, an encrypted signature private key formed by encrypting a signature 
private key for writing the signature by use of a public key of a changing right holder, the first 
public key, the encrypted private key, the encrypted common key, the second public key, and 
a signature written by use of the signature private key on the encrypted signature private key, 
a step ferof decrypting the encrypted signature private key included in the lock data by use of 
the private key of a changing right holder, a step feF_of changing the lock data, and a step for 
writing a signature on the changed lock data by use of the signature private keyjcey^4s 
oxoouted. 

[0024] In this structure, because only the changing right holder, and en&y 
additionally the member who generates the lock data, can acquire the signature private key; 
k ev in the case that the signature is successfully verified on the lock data after the change, it is 
then c onfirmed that the lock data is changed by the changing right holder. 

[0025] In an alternate embodiment. Further in thifl Gtructure, the step fefof 
changing the above-mentioned lock data may bo otruoturod ao ao tojnay include a step fefof 
changing the second public key, a step fefof changing the signature private key, a step fexof 
changing the encrypted signature private key before changing by use of a new encrypted 
signature private key newly formed by encrypting a changed signature private key by use of 
the public key of a changing right holder, and a step ferof writing a signature by use of the 



signature private key after changing. In this case, the changing right holder can set a changing 
right holder by setting a new signature public key and private key. 

[0026] The above-mentioned lock data may include a version identifier for 
indicating the version of the above-mentioned lock data. The above-mentioned lock data may 
include a precedent version dealing identifier to control how to deal with the lock data of the 
precedent version based on the identifier. The above-mentioned precedent version dealing 
identifier may be generated based on the change content of the above-mentioned lock data. 
Furth e r Further, the above-mentioned precedent version dealing identifier may include the 
information for identifying whether the change of the above-mentioned lock data should be 
applied retroactively or not. 

[0027] The present invention may be realized as hardware or may be realized at 
least partially as software. In the case of software, it can be installed in a computer system by 
way of a communication medium or software package (recording medium). 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0028] FIG. 1 is a diagram for illustrating a calculation rule for determining the trust 
level of the complex lock. 

[0029] FIG. 2 is a diagram for illustrating a calculation rule for determining the trust 
level of others based on the trust level in the trust body and the trust level of the trust body in 
others. 

[0030] FIG. 3 is a structural diagram for illustrating the outline of the whole 
cryptography system of the present invention. 

[0031] FIG. 4 is a diagram for illustrating the structure of the group lock of the 
present invention. 

[0032] FIG. 5 is a diagram for illustrating the structure of the public lock list of the 
present invention. 

[0033] FIG. 6 is a diagram for illustrating the structure of the private lock list of the 
present invention. 

[0034] FIG. 7 is a diagram for illustrating the structure of the cryptography of the 
present invention. 

[0035] FIG. 8 is a flowchart for describing the group lock generation flow of the 
present invention. 

[0036] FIG. 9 is a flowchart for describing the flow for addition to a lock list of the 
present invention. 
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[0037] FIG. 10 is a flowchart for describing the flow for judgement of usability of a 
private lock of the present invention. 

[0038] FIG. 1 1 is a flowchart for describing the encryption flow of the present 
invention. 

[0039] FIG. 12 is a flowchart for describing the decryptability judgement flow of 
the present invention. 

[0040] FIG. 13 is a flowchart for describing the flow for acquiring a private key in a 
private lock list of the present invention. 

[0041] FIG. 14 is a flowchart for describing the decryption flow of the present 
invention. 

[0042] FIG. 1 5 is a flowchart for describing the signature confirming flow of the 
present invention. 

[0043] FIG. 16 is a flowchart (1) for describing the group lock changing flow of the 
present invention. 

[0044] FIG. 17 is a flowchart (2) for describing the group lock changing flow of the 
present invention. 

[0045] FIG. 18 is a diagram for illustrating a system to which the present invention 
is applied. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 
[0046] First the a general outline of the present invention wiH-be- js_described 
below . A set of individuals is referred to as a group and an individual namely a_ or member, 
who is a component of a group, is referred to as a member hereinafter. The present invention 
is a public key cryptography system to which the concept of group is introduced. In other 
words, the present invention is a cryptography system incorporated with two main functions 
including the encryption function function, for enabling an arbitrary member who belongs to 
a specific group to decrypt the crypto graph v cryptography, and the signature function for 
enabling an arbitrary member who belongs to a specific group to write a signature. The 
present invention is advantageous in that the member who has written the signature is not 
eterifled identified but only the fact that some one someone w ho belongs to the group has 
written the signature in clarifi e d is identified b ecause a signature ean-be-is_written by use of 
the group private key. 

[0047] A pair of keys, a private key and a public ke y key, corresponding to a group 
is are provided, and theoo koyo are referred to as group private key and group public key 
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respectively. Further Further, a common key (symmetric cryptography key) for encrypting the 
group cryptography key is provided. A group private key is encrypted by use of a common 
key, and the common key is encrypted by use of an individual public keys- key of all the 
members, and -thereby forming a set of encrypted common koys is form e d. keys^_The set of 
the encrypted common keys and the encrypted group private key are made available at least 
for the respective members, members of the group. An arbitrary member who belongs to _of 
the group can decrypt the common key (which has encrypted by use of the corresponding 
individual public key) by use of the individual private key of the member itself, and further 
can decrypt the group private key by use of the decrypted common key, in other words can 
acquire the group private key. As described herein-above, an-arbitrary information is 
encrypted by use of the group public key, and then an arbitrary member of the group can 
decrypt the encrypted information by use of the group private key acquired as described 
herein-above. Similarly Similarly, a member of the group can write a signature by use of the 
group private key. 

[0048] The generation of a pair of the group private key and the group public key 
which are necessary to reafe e implement these functions, the generation of the common key, 
encryption processing by use of the group public key, and processing the process for changing 
the member of the group such as adding or deleting of the memb e r member, are described 
hereinaft e r, below. 

[0049] To maintain the confidentiality of information by means of encryption of the 
information, the location of the encrypted information itself is not qu e stion e d, known, in 
other words, is not clarifi e d identified . This concept m e ans thatJ Thus^ a mechanism for re- 
encrypting for some reason the information for any reason, which has been encrypted 
previously cannot be accopted_ used. The reason is that it is difficult to specify the location of 
the information which is want e d to be re-encrypted because the location is not qu e stion e d. 
known. Therefore, when a member who is of a group compon e nt is changed, the already 
encrypted information is not ro encrypted re-encrypted, b ut instead a new key is generat e d 
instead, generated. In the conventional public key cryptography system which is used in 
individual unit, an individual who has his or her own corresponding is an e verlasting 
existence and the keyjcey^ are in th e relation of one to one correspond e nc e and renewal of the 
group key is not f* ecossarv. necessary, how e v e r However, the renewal of it is necessary to 
renew the key is necessary for changing the component of the group because of the 
rnrrp.npnndont relation relationship b etw e en group and the k e y key corresponds to the 
individual member. 
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[0050] fa-fe e The present invention provides an effective means for providing a 
cryptography and signature system of tho present inv e ntion, an e ffectiv e function not only in 
the case of the above-mentioned encryption and writing signature in group uaks units, but 
also in the case that a key- key, corresponding to a rolo of an individual engag e d in a p osition 
for talcing a specific rol e in an organization such as the chief of personnel department in a 
company company, is provid e d . For example, there is a key corresponding to the role 
position of the chief of personnel department, when the individual who is engaged in the chief 
of personnel department is changed, it is possible to accommodate the change in the real 
world by changing the key corresponding to the gele -position of the chief of personnel 
department. A member who wants to send an encrypted document to the chief of personnel 
department may encrypt the document by use of the public key corresponding to the 
conventional key for this role- position (chief of personnel department). The new or 
subsequent chief of personnel department can check the encrypted information by use of the 
public key corresponding to the former rete- position in tho past w ithout changing the 
information which has Hep.n nnrxyptod alr e ady, already encrypted. 

[0051] In a group having a purpose such as a project group in a company, the work 
based on cooperative work and ml or , participated bv the positions of a plurality of members is 
important, and the members of the cooperative working group or individuals who are taking a 
gele- position are not fixed. Therefore, tho more strict confidentiality between the inside and 
outside of the group is required. 

[0052] Recently, the system for giving assurance of a certain level to the public key 
key, called as-authentication e£6ee -office, in the information network service has been 
popularly used, it is possible to exclude vitiated keys by use of an authentication office in the ^ 
present invention. 

[0053] Next, respective components of the present invention is-are_described. The 
respective components described heroin under b elow_are described. 

(1) Complex lock 

(2) Group lock 

(3) Individual lock 

(4) Private key of an individual lock 

(5) Complex lock list 

(6) Trust body 

(7) Authentication office 
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(1) Complex lock 

[0054] The complex lock is a generic name of the lock for realizing the group lock 
(role lock) and individual lock described hereinafter, and in detail the electronic data having 
components described herein under. 

a. Name 

[0055] A name is a character string for indicating an substrate in the real world 
corresponding to a complex lock which a person can read, and takes a role as aran_identifier 
of the complex lock. It is not desirable to use a space or confusable character string so that a 
person does not recognize confusingly different character strings as the same character string. 

b. Forming date and forming personnel. 

[0056] The forming date and forming personnel are the date when the complex lock 
is formed and the personnel who forms the complex lock. The forming p ersonnel writes a 
signature on all the formed complex locks. The signature procedure includes encryption of 
the electronic data which constitutes the complex lock by use of the individual key of the 
forming personnel. 

c. A private key which is encrypted by use of the common key 

[0057] This is the encrypted key which is formed by encrypting the private key of 
the decrypting lock by use of the common key. 

d. List of common key 

[0058] The list of common key is a list formed by a method in which the common 
key formed by encrypting the private key of the common lock is encrypted by use of the 
public key of the member and the name of the member (any data for identifying the member 
may be used) is given as a label. The common key can be decrypted by decrypting b y use of 
the private key of the member, and further as the result, the private key of the complex lock is 
decrypted to acquire. A cryptography sent from others can be decrypted by use of the private 
key of the complex lock. 

e. Public key 

[0059] The public key is the public key of the complex lock. The data is converted 
to cryptography by use of the public key when the information is encrypted. 

f. Private lock list of changing lock. 

[0060] A first p air of a public key and a private key is required for controlling the 
changing right of the complex lock is required independently independent from e£4hea 
second pair of the public key and the private key used for maintaining the confidentiality of 
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the information. This first p air is referred to as changing lock. The complex lock holds the 
list formed by a process in which the private key of the changing lock is encrypted by use of 
the public key of the changing right holder and the name of the changing right holder is given 
as a label. Only the changing right holder of the complex lock is allowed to form a complex 
lock of a new version by changing the complex lock, for example, by adding or deleting a 
member. The changing right holder is de s ignated previously, p reviously designated. When a 
complex lock is changed by a changing right holder and changed to a new version, the 
complex lock can be set automatically so that a person who trusts the old version can trust the 
new version. This is referred to as an automatic trusting mechanism. The trust of the lock 
will be described hereinaft e r, b elow. T o clarify that the complex lock is changed by a proper 
changing right holder, a signature is written by use of the private key of the changed lock 
when the complex lock is changed. However, if all members of the complex lock have the 
changing right of the complex leek- lock, a pair for maintaining confidentiality is used. In this 
case, the signature is written by use of the private key of the current version, 
g. Public key of changed lock. 

[0061] The public key of the changed lock is the counter part of the private key of 
the above-mentioned changed lock for mnntitiiting together and forms a pair, and used for 
decryption of the complex lock with signature by use of the above-mentioned private key of 
the changed lock, it may be possible to confirm the signature. In addition, the teen-period of 
validity of the complex key or the term- period of validity during the off-line period when the 
authentication office is not available for communication is added to control the use of the 
complex lock. 

(2) Group lock 

[0062] The group lock is the complex lock corronponding that corresponds to the 
group of the real world. The group includes a plurality of members generally. The group 
lock also functions alse as the role lock (for example, chief of personnel department). 

(3) Individual lock 

[0063] The individual lock is a complex lock rorronponding that corresponds to an 
individual. The individual lock is realized by means of the complex lock. A member of the 
complex lock as the individual lock specifies a trustee. The trustee means a person other than 
the individual to whom the same right as the individual has is given with conditions. This 
system allows the trustee who can take a role as an alternative to the individual to decrypt the 
information when the individual forgets the pass phrase. For example, the individual lock is 
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provided to avoid the risk caused by depending on one individual to keep the confidentiality 
of information and to decrypt information in the company. Further the individual lock can be 
used to audit or censor the information. It may be possible to set the condition that the 
approval of a plurality of specified trustees is required for the trustee to use the individual 
lock. 

(4) Private key of the individual lock 

[0064] The private key of the individual lock is protected so as to be only accessed 
by only the user. For example, the private key is protected by the common key cryptography 
technique in which a pass phrase known only by the individual (user) is used as the key for 
decrypting the cryptography. Otherwise, the private key may be protected by a method in 
which the private key of the individual lock is stored in a special device (IC card, PDA 
(Personal Digital Assist)), which the user can carry always carries , and it is taken out when it 
is required. Further othorwioe. In addition, the private key may be protected by a method in 
which the physical and bodily feature of the user (finger print, voice print, eyeground 
neurolemma pattern, and the like) is detected for identification. Yot othorwioe, Alternately, 
the private key may be protected by a method in which the feature of a signature is detected 
for identification. Other various access control methods may be employed. As described 
herein-above, only the user can get the private key when it is necessary. 

(5) Complex lock list 

[0065] The complex lock list means the complex lock list in which the trustability 
of individuals are-is_clarified. The complex lock and the corresponding trustability are 
maintained in the form of a pair. An individual is judged depending on the trustability in the 
list when the complex lock is used. The trustability of the complex lock which is not listed in 
the list is interpreted to be unclear. For example, the complex lock list is used when an 
individual or a grou p group, who is allowed to decrypt the cryptography is specified in the 
complex lock lis t list, to get the public key from the corresponding complex lock and an 
encrypted private key is generated. In other words, the complex lock list is a public lock list 
in which the public key of trusted individuals and groups is registered indirectly, therefore 
indirectly therefore, the complex lock list may be a public lock list in which the public key 
keys of individuals or groups are registered directly. The complex lock itself may be a 
complex lock which is stored in an apparatus located far apart for reference in addition to the 
complex lock stored in an apparatus located here, and otherwise the complex locks stored in 
this apparatus and the outside this apparatus are used mix e dly. interchangeably. 

(6) Trust body 
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[0066] In the present invention, the complex lock used in a group can be generated 
by anyone, but cannot be an effective key without a level of trust. The trust of the complex 
lock means that the actual correspondence between the group (including role or position) 
which is existing as a substance in the real world and the complex lock which is expect e d to 
b e corr e spond e nt corresponds to the group A is trusted. In detail, not onl y both the 
correspondent relation relationship b etween the group and the complex lock but also and the 
coincidence between the member of the group in the real world at the time point of trusting 
and the member included in the complex lock i s are required. For example, it is assumed that 
there is a complex lock having the name "Personnel Department, First Section". It may be 
possible that a group in the real world having the name "Personnel Department, Personnel 
Section" exists, but a group in the real world having the name "Personnel Department, First 
Section" does not exist. It may be also possible that though a group in the real world having 
the name "Personnel Department, First Section" exists, a corresponding proper complex lock 
does not exist. Therefore, a complex lock cannot be trusted based on only the name of the 
complex lock. Also a complex lock cannot be trusted in the case that, though some members 
in "Personnel Department, First Section" have been changed, such changed members remain 
in the member of the complex lock. 

[0067] The information which describes trustability of the complex lock is referred 
to as trust information. The information which describes the trustability of the trust 
information itself is also included in the trust information. The main body which holds the 
trust information is referred to as the trust body. Trusting the trust information and the 
complex lock based on what reason is dependent on the trust body. The trust body is 
classified into two types, namely individual and authentication office which will be described 
in (7) hereinafter. A trust body can trust other trust bodies. In sueh- such a case, a trust body 
who is tFusted -trusted, is referred to as -as a trusted body. A trust body uses the complex lock 
only when the complex lock is trusted. When a trust body does not have the direct trust 
information on the complex lock, it may be possible that the trust body can trust the complex 
lock if another trust body which is trusted by the trust body trusts the complex lock. 

[0068] For example, it is assumed that there is an individual "Mr. Tanake" and an 
authentication office "X Trading Company" as the trust body. They are in the relation that the 
individual "Mr. Tanaka" trusts automatically any complex lock as long as the authentication 
office "X Trading Company" trusts it if the individual "Mr. Tanaka" trusts the authentication 
office "X Trading Company", but on the other hand, the authentication office "X Trading 
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Company" does not necessarily trust the complex lock which the individual "Mr. Tanaka" 
trusts. 

[0069] The degree of trustability is fated- grouped into ratings, and the rating is 
referred to as trust level. It is possible to obtain the trustability of a complex lock having 
unknown trustability by calculation using the trust level. The trust level used at that time is, 
for example, an exemplary table of trust level shown herein under. 
[Table 1] 

Level © : fully trust 
Level O : sufficiently trust 
Level A : somewhat trust 
Level ? : unknown 
Level x : not trust 

[0070] FIG. 1 shows an example in which the trust level of a complex lock having 
the unknown trust level is obtained from the trust level of complex locks of two different trust 
bodies, for example, two different individuals A and B, which are independent from the same 
complex lock. The first row in FIG. 1 shows the trust level of the individual A and the left 
column in FIG. 1 shows the trust level of the individual B, and the result is shown in the form 
of table. For example, if the trust level set on the individual A is-O-is^O^and the trust level 
set on the individual B4s-?r -is "?", then the trust level of the complex lock is-Ovis^Ol 

[0071] For example, the calculation rule as shown in FIG. 2 is used for calculation 
of the trust level in which the trust level in this trust body and the trust level in another trust 
body of this trust body or the trust level in the complex lock are used. The first row in FIG. 2 
shows the trust level in this trust body and the left column in FIG. 2 shows the trust level in 
another trust body of this trust body or the trust level in the complex lock, and the result is 
shown in the form of tables -tables. For example, if the trust level in this trust body is-O-is 
^OUand the trust level set by this trust level is-is "?", then the trust level of the complex lock 
is ?. is "?". As described herein-above, it is possible to determine the trustability of a trust 
body having the unknown trustability or complex lock by use of the calculation rule shown in 
FIG. 1 or FIG. 2. 
(7) Authentication office 

[0072] The authentication office is one of trust bodies as described herein-above. 
The function provided by the authentication office is to express or provide the public trust in 
the unit like an company or organization, where, for example, some cryptography system is 
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used. The trust criterion of the complex lock in the authentication office is determined 
arbitrarily by a company or an organization which operates this authentication office. Several 
methods as described h e r e in und e r below are available as the method for determining the trust 
criterion. In the following description, "to guarantee" means the action that an individual 
other than the registrant registrant, certifies the validity of the complex lock to be registered. 

[0073] a) The validity is confirmed by means of any procedure performed by a 
specific manager of the authentication office. When the validity is confirmed, the 
authentication office trusts the complex lock. Any procedure described herein above means 
arbitrary procedure in the real world. For example, any procedure includes fing e r print 
fingerprint p ut on the application form or confirmation procedure by means of an 
identification paper or card of the applicant. Otherwise, the complex lock may be trusted for 
registration by means of various ways, for example, duplicated confirmation of the name, 
guarantee by other specific individual indicated for each registrant, guarantee by guarantors in 
a prescribed number, or signatures of individuals whom the authentication office trusts in a 
prescribed number determined previously. 
Example 

[0074] An example of the cryptography system which uses the group lock is 
described h e r e inaft e r, b elow. A case in which the group lock in the complex lock as 
described h e r e inb e fore above is used -used, is described hereinafter, b elow, and in the case 
that the other type of the complex leek -lock, n amely the individual leefe-lock^is us e d, used. 
similarly Similarly the cryptography system is structured with the same structure and the same 
manner excepting except that the member in the group lock is changed to the trustee in the 
individual lock. The abov e m e ntion e d before-mentioned role lock is included in the special 
application of the group lock, to make the function of the group lock effective as the role 
lock, the number of members of the group lock is sefc-l- set to 1 , and the individual who is 
engaged in the role currently may be assigned as the only member. It may be possible to 
operate the group lock in which the member of the role lock of the vice-president includes a 
secretary in addition to the vice-president himself. 

[0075] Each member who uses the cryptography system of the present invention 
holds two lock lists. In detail, a) "public lock list" namely the list of the group lock which 
respective members trust and the individual lock, and b) "private lock list" namely the list of 
the group lock from which each member can acquires directly or indirectly the private key 
based on the private key of the member itself. For the purpose of simplicity, it is assumed 
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that the group and individual lock included in the "public lock list" are trusted, and the 
medium trust level such as "somewhat trust" is not givenused. Whether it is trusted or not is 
determined based on the above-mentioned calculation rule of degree of trustability or based 
on the judgement bv-of a us e r, user, and the The detailed description in the example is 
omitted. However, it is assumed that the group lock a after a^change is trusted automatically in 
the case tha t when an automatic trust mechanisi^ in which the group lock used just before the 
change is trusted when the group lock is changed is in function functioning , nam e ly in th e 
cas e that th e group lock us e d b e for e th e chang e is trust e d. The registration procedure to the 
above-mentioned authentication office is not described directly h e r e inaft e r below in the 
example, in the case that there is the authentication office in a network as described h e r e in 
above, the lock which is generated or changed is registered to the authentication office. 
However, this registration procedure is not sine qua non of the present invention. 

[0076] Fifs^ -First the whole structure of the example is described with reference to 
FIG. 3. The basic function of the present example is to transmit the information correctly and 
confidentially from an individual to another individual. The individual may belong to a 
group. The information may be transmitted by means of direct transmission such as mail or 
indirect transmission through a file service. 

[0077] Not only the cryptography but also the individual public key or group lock is 
transmitted between individuals as shown in FIG. 3 as required. In the case that the judgment 
to determine whether the individual public key and group lock properly correspond to the 
individual and group which exist in the real world is required, it is necessary to establish a 
judgement procedure. 

[0078] When a plain document in "individual" shown in FIG. 3 is encrypted to a 
cryptographic document, a lock corresponding to the lock which an individual or a group who 
is to be allowed to decrypt the cryptographic document holds is selected from the lock list for 
encryption. The cryptogram which the selected individual or an individual who belongs to 
the selected group can decrypt is thereby generated. Otherwise, a plain document is 
decrypted by means of a common key KA, and a lock corresponding to the lock which an 
individual or a group who is to be allowed to decrypt the decrypting key KB required to 
decrypt the cryptography holds is selected from the lock list, and the selected lock is 
encrypted and transmitted. 

[0079] When the transmitted encrypted information is decrypted, the encrypted 
information is decrypted by use of the individual private key of the individual if the obtained 
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cryptographic information can be directly decrypted by use of the individual private key of the 
individual. If the obtained cryptographic information can be decrypted by use of the group 
lock to which the individual belongs indirectly or directly, the group lock is converted to the 
group private key by use of the individual private key of the individual to obtain the group 
private key, and the cryptographic information is decrypted by use of the group private key. 
The group private key is discarded just after it is used, and the individual does not hold it. In 
this system, only the individual private key is required for "individual" to keep it confidential. 
In the case that the cryptographic information is decrypted by use of the common key KA, 
first the decrypting key KB which is necessary for decryption is decrypted by use of the 
individual private key of the individual. If the cryptographic information can be decrypted by 
use of the group to which the individual belongs, the group lock is converted to the group 
private key by use of the individual private key of the individual to obtain the group private 
key, and the decrypting key KB is acquired by use of the group private key and the 
cryptographic information is decrypted to a plain document by use of the decrypting key KB. 
[Group lock] 

[0080] The structure of the group lock in the present example is shown in FIG. 4. 
Reference characters shown in FIG. 4 are described heroin unde r below . 
Lq : the label of this group lock. 

[0081] The label is a character string. The duplication Duplication is not allowed in 
a lock list of an individual. The label is not used as an identifier because duplication may 
occur as a whole. As the public key is not coincident unless the label is coincident, as a result 
the processing can be performed faster r e sultantly . 

P G : the public key of this group lock 

[0082] The public key of this group key is a public key corresponding to the public 
key cryptography system to be used, and this is generally a data string having a fixed length 
consisting of 512 bits to 2048 bits. When a plain document is encrypted so that all 
individuals who belong directly or indirectly to this group can decrypt the encrypted 
document, this public key is used for encryption. Further, when the information with a 
signature of an arbitrary individual who belongs directly or indirectly to this group is to be 
confirmed, the signature is confirmed by use of this public key. The public key is included in 
the group lock as it is, and any individual can check the public key. 

Sg : Private key of this group 
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[0083] The private key of this group is a private key corresponding to the public key 
cryptography system which is being used, and generally a data string having a fixed length 
consisting of 512 bits to 2048 bits. The private key of this group is used when a cryptogram 
encrypted by use of the corresponding public key is decrypted. The private key of this group 
is used also when an arbitrary individual who belongs directly or indirectly to this group 
writes a signature as an individual of this group. The private key is a key which is encrypted 
combin e dly by use of the private key of an individual and the common key directly or 
indirectly, and when the private key is used, first the common key is decrypted by use of the 
private key of the individual and the private key of the group lock is thereafter decrypted for 
acquiring. The private key of the group lock is discarded just after use and io not hold alon e. 
Cg : Common key for encrypting the private key of the group lock 
[0084] This key is the common key, and a known key such as DES, FEAL, or the 
like may be used. The size of the key consists generally of 40 bits to 128 bits. 

Cg (Sg) : Private key of the group lock encrypted by use of the common key Cg 
[0085] This key is a cryptogram which is formed by encrypting the private key Sg of 
the group lock by use of the common key. The common key Cg is necessary to acquire the 
private key Sg. 

Mi : Member of this group 

[0086] Mi is the existence in concept, and does not appear in the data structure 
directly. A member may be an individual or a group. As described hereinbefore, in the case 
of an individual key instead of a group key, the member means the trustee. 

Pu : Public key for changing this group lock 

[0087] This key is a public key corresponding to the public key cryptography system 
which is being used, and is generally a data string consisting of 512 bits to 2048 bits. It is 
required that the group adds or deletes the member. As the method for identifying the person 
who has the right to perform such change, a pair of an exclusive public key and private key is 
used. This key is such public key. The group key includes the private key for changing 
which has been decrypted directly or indirectly by use of the individual private key that 
belonging to the individual having the changing right has, right. When the group lock is 
changed, the new group lock is signed by use of the private key for changing. Because only 
the changing right holder can have the private key for changing, the signature validates that 
the change has been done by a proper changing right holder. The validation is processed 
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automatically if the previous group key is trusted. Any on e Anyone can refers refer to this 
public key for changing because the public key for changing is included in the form as it is. 
Su : Private key for changing this group lock 

[0088] This key is a private key corresponding to the public key cryptography 
system which is being used, and is generally a data string of fixed length consisting of 512 
bits to 2048 bits. The function is the same as that described for Py. 

Cu : Common key for encrypting the private key Su for changing the group lock. 

[0089] This key is a conventional common kev^ar -kev. A known key such as DES, 
FEAL, or the like may be used. The size of a key is generally 40 bits to 128 bits. 

Cu (Su) : Private key for changing the group lock which has been encrypted by use of 
the common key Cu. 

[0090] This key is a cryptogram which has been formed by encrypting the private 
key Su for changing the group lock. The common key Cu is necessary to obtain the private 
key Su- 

V : Version number of this group lock 

[0091] V is a natural number. V is 1 when a new group lock is generated. V 
indicates the version of the group lock. When the group lock is changed, the version number 
is added 1 on the reference version number. 

F : Value indicating processing of immediately precedent v e rsion version. 

[0092] F is any one of "unnecessary", "necessary", and "deletion". When the group 
lock is changed, an individual who has the immediately precedent v e rsion version, is required 
to deal the immediately precedent version properly because the individual has the new 
version. The value "unnecessary" means that the immediately precedent version is 
unnecessary. The value "necessary" means that the immediately precedent version is 
necessary to validate the signature written by use of the immediately precedent version to 
decrypt a cryptogram formed by use of the immediately precedent version. In this case, the 
new version should be used for new encryption and signature. The value "delete" is 
approximately equal to "unnecessary", and means that the immediately precedent version 
should be deleted when the individual cannot acquire the private key of the new version. 
When a group lock is g e nerat e d n e wly, newly generated, this value is meaningless. 

Ui: Changing right holder of this group 

[0093] Ui is a conceptual existence and does not appear on the data structure. The 
changing right holder is assigned to an individual or a group. 
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Lm : Label of Mi 

[0094] Lm is a label character string. This label is the label of a group lock of other 
another group or individual key who is a direct member of this group lock. Though the 
individual lock is not described in the present example, the individual lock consists of a 
private key which is managed by the corresponding individual and a public key which is 
open, and a label is not given at least to the public key. 

P M i : Public key of Mi 

[0095] P M i is a public key corresponding to the public key cryptography system 
which is used, and is generally a data string of fixed length consisting of 512 bits to 2048 bits. 
The public key of the direct member of this group. 

Pmi (Cg) : Cg encrypted by use of Pm* 

[0096] P\ii is obtained by encrypting Cg by encryption processing corresponding to 
the public key cryptography system which is used. To acquire Cg by use of Pj^i, the private 
key SMi-SAii_corresponding to Pmi is necessary. This is held by means ef-of an arrangement 
which uses the corresponding Lm as an index. 

Lui : Label of Ui 

[0097] This is a label character string of Ui. This is the label of the individual lock 
of the individual who is the changing right holder of this group lock. 
Pui : Public keyofUi 

[0098] This is the public key corresponding to the public key cryptography system 
which is being used, and is generally a data string of a fixed length consisting of 512 bits to 
2048 bits. This is the public key of the individual who is the changing right holder of this 
group lock or the public key of the group lock. 

Pui (Cu) : Cu encrypted by use of the public key of Ui 

[0099] This is obtained by encrypting Cu by means of encryption processing 
corresponding to the public key cryptography system which is used. To acquire Cu by use of 
this Pui, the private key Sui corresponding to Pw-Pyi^is necessary. This is held by means e£of 
an arrangement which uses the corresponding Lui as an index. In the present example, the 
private key is added with the information to identify the data and then encrypted like the 
packet data structure in fee-packet communication. Therefore, whether the private key is 
normally decrypted or nefc -noU can be judged easily based on the additional information when 
the encrypted private key is decrypted. 

Sig (Su) : Signature by Su for the whole. 
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[0100] This is a data string for indicating a signature. Herein, the whole means Lc, 
Pg, C g (S g ), V, F, Pu, Cu(Su), L M i, Pm* (C g ), L Ui? and Pui (Cu). Signature means encryption 
processing by use of the private key Su- In the public key cryptography system, . conversely 
as opposed to the normal system, the data is encrypted by use of the private key and the 
encrypted data can be decrypted by use of the public key. Because the data must be encrypted 
by use of the private key in order to decrypt it by use of the public key, it is confirmed that the 
signature is written by use of the private key by confirming decryption by use of the public 
key. Actually, the message digest is applied to the target range and a signature is put on the 
proc e ssing result processed by use of the private key Su- The message digest m e ans a 
processing means, which is a process in which the information consisting of about 128 bits, 
depending on the content of the target range, is generated regardless of the size of the target 
range because the encryption of the entire target range of the signature requires high cost. A 
disclosed message digest processing algorithm is used and a key is not used. For 
confirmation, the encrypted target data is subjected to message digest, and whether the 
signature and the decrypted result are coincident or not is confirmed. The message digest 
processing is a processing process similar to the check sum, and on the other hand by using 
the direction function in the proc e ssing, p rocess, it is made difficult to forge the input data 
which generates the same result. Further, because the size of the generated data is large, it is 
difficult to forge the data as a round robin. The name "Message digest" is a generally known 
name in the cryptography related field, and the-awell known system. It is assumed that the 
message digest processing function is fMd, the complex operation of the target data is 
expressed by arithmetic sum, and the signature written by use of Su is expressed by a function 
Su> then Sig (Su) is obtained as the result of the following processing. 
[Expression 1] 

Su (f M d (Lg+Pg+Cg (S g )+Pu+Cu(Su) 

n 

+2(L M i+PMi(S G )+Lui +Pui(Su)))) 
i=l 

Su 1 : Su of the precedent version 

[0101] This is a private key corresponding to the public key cryptography system 
which is being used, and is generally a data string of fixed length consisting of 512 bits to 
2048 bits. This is the private key for changing the immediately precedent version. This 
functions similarly to Su (in detail, refer to the description of Pu). 
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Sig (Su) : Signature by use of Su for the-whel e whole. 

[0102] This is a data string which indicates a signature. Herein the whole means 
Lg, P g , C g (S g ), V, F, Pu, C v (Su), L Mi , P M i (Co), L yi , Pu» (Cu), and Sig (Su). This is not 
given when this is generated newly. Sig. (Su') is expressed as described herein under 
similarly to the Sig (Su). 
[Expression 2] 

Su (fMd(LG+PG+C G (S G )+Pu+Cu(Su) 

n 

+S(LMi+PMi(C G )+Lui+Pui(Cu)+Sig(Su)))) 
i=l 

[0103] In the present example, the signature covers the whole data, however the 
signature may partially cover the data which is wanted to be prevented from forgin g forgery . 
[Public lock list] 

[0104] FIG. 5 shows the structure of the public lock list in the present example. 
The public lock list is owned independently by individuals, the group lock and the individual 
lock which the individual trusts trusts, is held by the arrangement having the label of the lock 
as an index. 

[0105] As shown in FIG. 5, the public lock list consists of Gi (trusted group lock), 
Lgi (label of the group lock Gi), Ii (public key of trusted individual), and Lli (label 
corresponding to the public key Ii of the individual). 

[0106] The judgement of the trustability of the lock which is required when a new 
data is added to the public lock list relied on the public lock list holder in the present 
example. However, the subsequent version of the group lock which has been trusted is 
subjected to automatic trusting. Otherwise, it is possible to determine the trustable lock or 
trust body by means of the calculation rule associated with the above-mentioned trust level. 
In this case, the trust level can be determined surely and easily by using the trust relation 
registered in the above-mentioned authentication office. 

[0107] A decryptable group or individual is designated for encryption, at that time, 
and at least one or more corresponding group locks or individual locks are selected from the 
public lock list for designation. 

[0108] When the validity of the signature is confirmed, the public key 
corresponding to the private key which has been used for writing the signatur e signature, is 
taken out from the public lock list for using. 
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[Private lock list] 

[0109] The structure of the private lock list in the present example is shown in 
FIG. 6. The private lock list is owned independently by individuals, and holds the group lock 
by which the individual can acquire the private key in the form e £of an arrangement having 
the label of the group lock as an index. The private key is acquired by directly or indirectly 
by applying the individual private key of the individual to the group lock. 

[0110] As shown in FIG. 6, the private lock list consists of Gi (group lock which is 
used with using the private key) and L& (label of the group lock Gi). 

[0111] If the group private key in the internal of the group lock can be acquired by 
directly or indirectly by applying the individual private key of the individual in the proc e ssing 
process, to add the group lock to the public lock list, addition to the private lock list is 
performed when added. Therefore, it is not necessary for the user to be conscious of addition 
proc e ssing, p rocess. It should be recognized that the fact that the group private key in the 
internal of the group is acquired by use of the individual private key of the individual 
individual, does not necessarily mean that the group key is trustable. 

[0112] The judgement of the possibility of decryption is made faster by using the 
private lock list for decryption. Further, in the actual decryption processing, the private lock 
list is used for acquisition processing of the necessary group private key. 

[0113] In writing a signature, the group private key in the private lock list other than 
the individual private key of the individual may be used for writing a signature. If a signature 
is written as described herein-above, then the receiver who receives a cryptogram can identify 
the sender either an individual or group. Further, if the public key of the private lock used for 
the signature is attached together with the signature, the signature is validated easily and the 
receiver can validate the sender easily based on the public key without checking the signature. 
[Cryptogram] 

[0114] The structure of the cryptogram of the present example is shown in FIG. 7. 
In the present example, L M i of the group lock and the list of the paired P M i (Sq) have the same 
structure, and a cryptogram can be thereby decrypted by using any one of a plurality of private 
keys. As the result, when the information which is wanted to be disclosed to a plurality of 
members is encrypted, it is not necessarily required to form the group lock. In other words, a 
receiver group consisting of individuals and groups selected arbitrarily from the public lock 
list is temporarily formed, form e d t e mporarily. 
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[0115] The meaning of each character shown in FIG. 7 is described heroin 
tffldePr below. 

Pi : Decryptable group lock or public key of an individual 

[01 16] This is a public key corresponding to the public key cryptography system 
which is used, and is generally a data string of fixed length consisting of 5 12 bits to 2048 bits. 
Li : Label of Pi 

This is a label character string. 

D : Plain document (information to be confidential) 

This is an arbitrary character string. 

K : Common key formed by encrypting the plain documont D document D. 

[0117] Because encrypting processing and decrypting processing are slew -slow, due 
to the public key cryptography, the hybrid system in which a plain document is encrypted by 
means of common key cryptography and only the common key is encrypted by means of 
public key cryptography cryptography, is generally employed. The K is the common key. In 
the present example, K is encrypted respectively by use of K to thereby enable a plurality of 
groups or individuals to decrypt the encrypted document. 

Pi (K) : K encrypted by use of Pi. 

K (D) : D encrypted by use of-P i Pi. 

S : Private key which a member who performs encryption processing can use 
[0118] This is a private key used when a signature is given to a cryptogram. Any 
one of the individual private key of the individual and the private key of the group lock 
included in the private lock list is used. 

P : Public key P which is paired with the private key S used for signature 
[0119] The public key corresponding to the private key which the signer has used 
for signature according to the assertion is used when the signature is validated. It is held to 
specify the public key. If the public key is included in the public lock list of the receiver itself 
in the receiver side who has received the cryptogram, the receiver can validate that the 
signature written by a group or an individual who the receiver trusts is put, and the receiver 
can validate a sender individual or sender group who has transmitted the cryptogram. 
Sig (S) : Signature by S for the-^vhete whole. 

[0120] This is a data string for indicating a signature. Herein, the whole means Li, 
Pi(K), and K(D). The signature is referred to the description of Sig (Su) in the structure of the 



26 

group lock. According to the same expression, Sig (S) is expressed as described herein 

ttftdefr below. 

[Expression 3] 

n 

S(f Md (S(Li+Pi(K))D)) 
i=l 

[Flow of processing] 

[0121] Detailed process flow of the present example is described with reference to 
flowcharts shown in FIG. 8 to FIG. 16. 
[Group lock generation] 

[0122] The flowchart for describing group lock generation is shown in FIG. 8. It is 
required that the group lock or the public key of an individual corresponding to a member 
who is newly assigned, assigned newly is trusted by the generator when a group is generated 
(or when a group is added or changed). If the group lock or the public key of an individual 
corresponding to a member who is assign e d n e wly newly assigned is not trusted, trusting 
namely addition to the lock list must be performed prior to the generation of the group key. 

[0123] The generated group lock is added first to the lock list of the generator itself. 
The lock list is the generic name of the public lock list and the private lock list. Further, 
(when a cryptogram formed by encrypting for the generated group is decrypted, the member 
of the group needs the group lock. Conversely, when a cryptogram is formed for the group, 
also the group clock is needed. Arbitrary An arbitrary individual can encrypt. Therefore 
Therefore, it is necessary to distribute to individuals who may encrypt for the member or the 
group) the generated group lock is distributed to individuals who require it. Otherwise, the 
complex lock which is stored in the remote center may be sent when the sender of the 
cryptogram or the receiver requires it, or only the information which requires the complex 
lock may be sent. In the present example, the description of the distribution is omitted. 

[0124] The flowchart shown in FIG. 8 is described in detail. The label of the group 
lock generated in step 101 is entered. In step 102, whether a lock having the same label as the 
input label exists in the lock list is tested. Generation of a lock having the duplicated label is 
refused, and if there is already a lock having the same label in the lock list, then the sequence 
proceeds to step 113, and generation of a group lock is stopped. On the other hand, if there is 
no lock having the same label, then the sequence proceeds to step 103. 
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[0125] In step 103 and step 104, a member Mi and a changing right holder Ui are 
designated. The member is a member who uses the cryptography system in which the group 
lock is used, and the changing right holder has the right to change the group lock, for 
example, to add or delete the member. The member and the changing right holder are not 
limited to an individual but may be a group, and designated by selecting one or more group 
locks or public keys of individuals from among the public lock list which the group lock 
generator has. 

[0126] In step 105, a private key Sg, public key Pg, and common key C G of the 
group to be generat e d generated, is generated. In step 106, the generated private key Sg is 
encrypted by use of the common key Co to generate Cq (Sg). Further, P M i (Cg) which is 
formed by encrypting the common key Cg by use of public keys Pm* of respective members 
Mi is generated, and each Pmi (Cg) corresponds to the label Lmi. 

[0127] In step 107, a changing private key Su, changing public key Pu, and 
changing common key Cu of the group lock to be generated is generated. In step 108, the 
generated group lock changing private key Su is encrypted by use of the common key Cu to 
generate Cu (Su). Further, the common key Cu is encrypted by use of the public key Pui of 
the changing right holder to generate Pui (Cu), and each Pui (Cu) corresponds to the label Lui. 

[0128] In step 109, the version number of the group lock to be generated is set. In 
step 110, respective data of Lg, Pg, Cg (Sg), Pu, Cu (Su), V, P M i (Cg), and Pui (Cu) are unified 
together. In step 1 1 1, a signature is written on the unified previous data by use of the 
changing private key Su, that is, data conversion is performed. In step 112, the group lock is 
registered additionally to the lock list of the group lock generator and thus the generation of 
the group lock is brought to an end. The generated group lock has the structure shown in 
FIG. 4 as described her e inb e for e . above. 
[Addition to a lock list] 

[0129] A flow -flowchart of the addition procedure to a lock list -list, is shown in 
FIG. 9. Only the group lock or public key of the individual who is trustable is added to the 
lock list. This processing is used when the group lock which is generated or changed 
(generation of a new version) by ksetf -itself, is added and when the group lock which is 
obtained from others is added. 

[0130] In the present example, proc e ssing the process associated with distribution 
such as distribution of a key by means of an authentication office and distribution of a key by 
way of e-mail or floppy dise -disc. is not included. Proc e ssing The process for calculating the 
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trustability of a key by calculating the trustability in a signer or the trustability in a key of a 
signer is omitted. It is possible to include the above-mentioned acquisition of the trust level 
obtained by calculation of the trustability and to use it to judge the trustability. In the present 
example, the automatic trusting procedure of a new version of a group lock which has been 
already trusted is shown. In the present example, a new version is automatically trusted only 
when it is validated that the new version is signed by use of the changing private key of the 
immediately precedent version. 

[0131] In the addition to a private lock list, only the group lock from which the 
private key of the group lock can be acquired directly or indirectly by use of the individual 
private key of the individual itself from the trusted group locks is added. 

[0132] The flew -flowchart shown in FIG. 9 is described in detail. In step 201, after 
a lock to be added is specified, the presence of a signature written by use of the changing 
private key Su ! of the immediately precedent version, trustability, and correctness of the 
signature are judged in steps 202, 203, and 204, and if any one of them is "YES", then the 
sequence proceeds to step 214, the judgm e nt j udgment, by the trust lock holder itself whether 
the lock to be added is trustable or ne^ -not is entered. If the lock is trustable, the sequence 
proceeds to step 210, on the other hand if the lock is not trustable, the lock is not added to the 
lock list. In step 214 and step 215, the calculation to acquire the above-mentioned trustability 
can be used. 

[0133] In steps 205 to 209, how to process the precedent version is determined. 
When an group lock of a new version is added, it is required to properly process the group 
lock of the precedent version. It is judged based on the F value included in the group key of 
the new version. A new encryption or writing a signature should not be performed regardless 
of F value because the precedent version is old. The public lock list and private lock list 
should be classified into the newest version and the other, other version. In the present 
example, the classification is omitted, and only the newest is assigned when used. The 
processing which depends on F value is described h e rein und e r. below. 

a) In the case of F= "necessary", group lock of old version is kept undeleted. 

b) In the case of F= "unnecessary", group lock of old version is deleted. 

c) In the case of F= "delete", group lock is kept undeleted if the individual itself 
can acquire a private key of the new version, and is deleted if otherwise. 
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[0134] In step 210 to 213, addition to the public lock list is performed, the usability 
of the private key of the lock to be added is judged, and if the usability is YES, addition is 
performed also to the private lock list. 

[Judgement of the usability of the private lock] 

[0135] A flow-flowchart for judgement of the usability of the private key is shown 
in FIG. 10. In the processing, whether the encrypted private key included in an arbitrary 
group lock which is assigned can be acquired by directly or indirectly applying the individual 
private key of the individual itself is judged. 

[0136] This processing is used to judge whether a group lock may be included in the 
private lock list (step 212 in FIG. 9). The same judgement as this processing is necessary to 
judge whether a group key is usable or not for decryption in other situation, situations. 
How e v e r However, in many cases, simple processing to judge whether the group lock is 
included in the private lock list based on the fact that the group lock included in the private 
lock list is all the group lock from which the private key is acquired by the subject its e lf itself, 
as long as -as, it is known at the time point is used, and this processing is directly used not so 
often. 

[0137] In the processing, first whether the private key of the group lock directly 
given by using the individual private key of the individual itself is judged. If the private key 
is not acquired, whether the private key of the group lock given by direct use of each group 
key in the private lock list of the subject itself can be acquired or not is judged. The 
processing may be performed according to this procedure for only the purpose of judgement 
because the private key of the group lock in the private lock list is already known to be 
usable. 

[0138] The flew^flowchart shown in FIG. 10 is described in detail. In step 301 the 
group lock being judged to b e a (judgement target) is assigned, in step 302 it is determined 
whether or not the individual lock of the individual itself is a member of the group lock is_to 
be the judgement targ e t or not is judg e d, target, and if it is YES, it is judged to be usable. If it 
is not a member, in step 303 to step 305, the element Gi of the current private lock list is 
examined, and whether Gi is a member of the judgment target key or not is judged. In steps 
303, 304, and 305, the process is repeated with incrementing i of Gi successively. In the 
repeating step, if any Gi is a member of the judgement target key, it is judged to be usable. 
[Encryption] 
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[0139] The encryption processing flow of information is shown in FIG. 11. The 
following three items are entered in the processing. 

a) Plain document 

b) Decrypter 

[0140] One or more decrypter is assigned from the newest group lock or individual 
public key included in the public lock list. 

c) Signer 

[0141] Only one signer is assigned from the individual private key of the individual 
itself or newest group lock included in the private lock list. It is not necessary to assign 
unless a signature is written. 

[0142] Signing means that the signature target data is subjected to message digest 
and the resultant signature block is signed by use of a private key. Signing by use of a private 
key means encryption by use of a private key. The paragraphs "cryptography" in data 
structure and Sig (Su) in "group lock- in data structure should be referred for details. 

[0143] The flew ^flowchart shown in FIG. 1 1 is described in detail. In step 401, the 
information D to be kept confidential is entered, and in step 402, one or more public key Pi 
corresponding to the newest group and individual which enables to d e crypt decryption, is 
selected from the public lock list of the subject. In the proc e ssing, process, a member who is 
enabled to decrypt the encrypted data is selected. 

[0144] In step 403, the common key K is generated, and encryption of the 
information D by use of the key K is executed according to the public key cryptography 
system. In this case, the hybrid system in which the plain document is encrypted by use of the 
common key cryptography and only the common key is encrypted by use of the public key 
cryptography is employed because encryption processing and decryption processing using the 
public key cryptography is slow as described in the paragraph of [Cryptography]. The 
common key K is not necessarily the key which is generated every time when encryption is 
carried out, and may be the key which is generated as required or may be the fixed key which 
has been previously determined. 

[0145] In step 404, K is encrypted by use of the public key Pi of each decrypter to 
generate Pi (K), and the label-corresponding label respectively is given. In step 405, whether 
the generated cryptogram is to be signed or not is judged, and if the judgement is NO, then 
summarizing of each data is executed in step 410, and the encryption processing is brought to 
an end. If the judgement is YES, the sequence proceeds to step 406. 
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[0146] Steps 406 to 409 are signature processing step, the data to be signed is 
subjected to message digest processing (step 406), a key to be used for signature is selected 
from the private lock list (step 407), signature is executed by use of the selected private key 
(step 406), and the arrangement K (D) and the signed message digest (=signature block) are 
combined together (step 409). The encryption processing is e nd e d though th e abov e 
m e ntion e d st e ps, ended. 
[Decryptability judgement] 

[0147] A processing flow forjudging whether an arbitrary cryptography can be 
decrypted by the subject itself or fiet -not, is shown in FIG. 12. For example, this flow 
flowchart is used to confirm which encrypted file can be decrypted by the subject itself when 
the encrypted files are listed. This flew -flowchart is processing a process for executing the 
judgement of decryptability at high speed. In detail, base- based on the fact that decryption is 
impossible unless the label is coincident, first the coincidence of the label is confirmed and 
then decryption is tried only when the label is coincident. Generally, when the method for 
selecting the label is determined properly, this method provides sufficient performance. If the 
method for selecting the label cannot be specified, a method in which not only the label but 
also the public lock used for encryption is given to "cryptography" may be used for faster 
processing. 

[0148] In the proc e ssing, process, first the individual private key of the individual 
itself is tried to be used, and if decryption is impossible, then each group lock in the private 
lock list of the individual itself is tried to be used. Decryption described herein means 
decryption of only Pi (K) corresponding to the label Li in the "cryptography". It is not the 
purpose to obtain a plain document herein, K (D) is not decrypted. 

[0149] The decryptability judgment flow shown in FIG. 12 is described in detail. In 
step 501, a cryptography the decryptability of which is to be judged is assigned, hi steps 502 
and 503, whether the label in the cryptography Li is coincident with the label of individual 
label of the individual itself is judged. If both labels are coincident each other, the sequence 
proceeds to step 509 to try decryption. If decryption is impossible in step 509 or if the 
coincident label cannot be found in steps 502 and 503, whether the label Li in the 
cryptography is coincident with the owned private lock label or not is judged. If the 
coincident label Lei is found, then the sequence proceeds to step 5 1 1 to acquire the private 
key Sci of Gi corresponding to the label Lei, and decryption is tried in steps 512 and 51 3. If 
the decryption is not successful, the sequence proceeds to steps 506 and 507, and the 
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coincidence with the label of the private lock list owned by others and the coincidence with 
the label of the individual lock are tested. In step 506, the same processing as performed in 
step 504 is repeated for different labels, and in step 507, the same processing as performed in 
step 502 is repeated for different labels. If decryption is possible in step 510 or step 513, 
decryption in step 514 is judged to be possible. 
[Acquisition of private key in group lock] 

[0150] A flow for acquiring the private key Sg of the group lock included in the 
private lock list is shown in FIG. 13. The private key of the group lock is used for decryption 
and signature. 

[0151] It is apparent that the private key can be acquired because only the group 
lock from which the private key is acquired by directly or indirectly applying the private key 
of the individual is included in the private lock list. 

[0152] In the processing, p rocess, first direct application of the individual private 
key of the individual itself is tried. If the trial is not successful, application of the group lock 
in the private lock list is tried. In the trial application of the group lock, the-this proc e ssing 
process is called recursively. A directed graph which is the inclusive relation between groups 
namely members formed as directed arc having the group as the node. Therefore, the private 
key is acquired in this proc e ssing, process. 

[0153] An acquisition flew -flowchart of the private key Sq\ shown in FIG. 13 is 
described in detail. First in step 601, a group lock Gi in the private lock list is assigned. In 
step 602, whether the individual lock of the individual itself is included in the member of the 
group lock Gi is tested, and if it is included, the sequence proceeds to step 607, then the 
common key Cg is encrypted by use of the individual pubic key in the group lock Gi to 
extract the encrypted Pmi (Cg), and the extracted Pmi (Cg) is decrypted by use of the 
individual key to acquire the common key Cg- Further, Cg (Sg) in the group lock is decrypted 
by use of the common key Cg to acquire the group private key Sg- 

[0154] If the individual lock of the individual itself is not included in the member of 
the group lock Gi in step 602, then in steps 603 to 605 whether Gk is a member of Gi is tested 
on all the elements Gk of the private lock list. This proc e ssin g process is performed to test 
whether each "the group lock Gk which the private lock can use" held by the subject itself is 
included as a member of the group lock Gi. If Gk, which is a member of the group lock Gi A is 
detected in step 604, then the private key Sgk of Gk is acquired in step 608, the encrypted P M i 
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(Sg) in the group lock Gi is extracted in step 609, and the extracted Pci (Sg) is decrypted by 

use of the private key Sgk to acquire the group private key Sg. 

[Decryption] 

[0155] A flow to decrypt an arbitrary cryptography is shown in FIG. 14. The flew 
flowchart shown in FIG. 14 is the almost same flow as shown for the above-mentioned 
"Decryptability judgment" processin g process . Steps 701 to 713 correspond to steps 501 to 
5 13 in the decryptability judgment flow- flowchart shown in FIG. 12. Only one exception is 
that K(D) is decrypted by use of the key K of the common key cryptography to acquire the 
plain document D. In the case that the cryptogram has a signature, the signature is validated 
as r e quir e d required, simultaneously when the plain document D is acquired. 
[Signature validation] 

[0156] A flow-flowchart for validating a signature is shown in FIG. 15. The result 
obtained by the process p rocessing in which the signature being validated (signature target) is 
subjected to amessage digest process p roc es sing is compared with the result obtained by 
decrypting the signature block (data added by signature processing) by use of the public key 
corresponding to the private key which is used for the signature. If two results are equal each 
other, it is validated that the signature is correct and the signature target is not forged. 

[0157] Herein, the public key corresponding to the private key used for the signature 
should be trusted for correct validation. The condition that it is included in the public lock 
list of the subject itself should be satisfied for validation. The signature is not validated 
unless the public key is trusted. 

[0158] If the result of message digest is not equal to the result of decryption, then it 
is clear that the signature target has been forged. 

[0159] The signature validation flow-flowchart shown in FIG. 15 is described. In 
step 801, the signature target is subjected to message digest. The message digest means a 
proc e ssing process for generating information consisting of 128 bits, which depends on the 
content of the target range independently of the data size of the target range as described 
h e r e inbefor e , above, b ecause encryption of the entire target range of the signature requires a 
high cost. Next, in step 802, whether the public key corresponding to the private key used for 
signature is trustable or net -not, is judged. If the public key is not trustable, then the signature 
validation is judged to be impossible in step 806. 

[0160] If the public key is confirmed to be trustable in step 802, then the sequence 
proceeds to step 803, the signature block is decrypted by use of the public key corresponding 
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to the private key which is used for the signature, and the coincidence with the message digest 
is judged in step 804. This proc e ssing p rocess is the actual signature validation step. If the 
coincidence is denied in step 804, then the signature is judged to be not correct, that is, the 
private key used for the signature is judged to be not correct in step 807. If the message 
digest is judged to be equal to the decryption result in step 804, then the signature is 
concluded to be correct in step 805. 
[Group lock change] 

[0161] A flew- flowchart for group lock change is shown in FIG. 16. Four types of 
group lock change are described heroin und e r, below. In the flowchart, four types which are 
branched into four processing are described in the order from the left side. 

A. Add now. 

[0162] A new member is added. The added new member cannot decrypt the 
cryptography which has been encrypted before the addition. In this case, a pair of a new 
private key and public key is assigned to So and Pg of the group lock of the new version. The 
F value is "necessary". Therefore, the individual who receives the new version will not delete 
the previous version. The reason is that it is necessary for previous members to decrypt the 
cryptography encrypted before the addition. 

B. Add retroactively. 

[0163] A new member is added. The new member can also decrypt the 
cryptography encrypted before the addition. Li this case, the previous Sq and Pg are used as 
they are. Therefore, F value is "unnecessary". The individual who receives the new version 
deletes the previous version. The new version may be used to decrypt the cryptography 
encrypted before the addition. 

C. Delete now. 

[0164] An existing member is deleted. The deleted member can decrypt the 
cryptography encrypted before the deletion. Of course, the deleted member cannot decrypt 
the cryptography encrypted after the deletion. In this case, a pair of private key and the public 
key is assigned to Sg and Pg of the group lock of the new version. Further F value is 
"unnecessary". As the result, the individual who receives the new version does not delete the 
previous version. The reason is that it is necessary for previous members including the 
deleted member to decrypt the cryptography encrypted before the deletion. 

D. Delete retroactively. 
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[0165] An existing member is deleted retroactively. The deleted member cannot 
also decrypt the cryptography encrypted before the deletion. In this case, a pair of a new 
private key and public key is assigned to Sg and Pg of the group lock of the new version. 
Further, F value is "delete". As the result, the individual who receives the new version does 
not delete the previous version. The reason is that it is necessary for previous memb e rs 
members, excluding the deleted m e mb e r member, to decrypt the cryptography encrypted 
before the deletion. However, in the case that the individual who r e c e iv e s receives, cannot 
acquire the private key of the new version, that is, the individual is the deleted member, the 
previous version is deleted. The reason is that the previous version is deleted so that the 
deleted member cannot also decrypt the cryptography encrypted before the deletion. The 
deletion of the group lock of the previous version by the deleted member is not guaranteed 
mathematically, but the deletion is promoted as a system in character. 

[0166] When the group lock is changed, not only F value becomes meaningful but 
also the changing private key of the previous version is used for signature. The reason is that 
the new version is rendered trustable automatically in the case that the previous version is 
trusted as described hereinbefore. When the group lock is changed, the new group lock 
should be distributed promptly to ev e ry on e everyone who requires it. 

[0167] The group lock changing flew^ -flowchart shown in FIG. 16 and FIG. 17 is 
described in detail. In steps 901 and 902, a group lock to be changed is assigned, and the type 
of change is discriminated. In step 902, any one of addition processing and deletion 
processing is selected, in the case that addition and deletion are both involved as in the case 
of exchanging of the member, the order is set for each member and processing is executed for 
members one by one. 

[0168] In the case that the change involves addition of a member in step 902, the 
sequence proceeds to step 903, the public key of the group or individual corresponding to the 
member to be added is selected from the public lock list. Next, in step 904, whether the 
addition is the addition now or the addition retroactively is judged. In other words, whether 
decryption of the cryptographic information encrypted in the past is set so as to be possible or 
ne^ -not, is determined. If the judgement in step 904 is NO, namely the addition from now, a 
group public key Pg, group private key Sg, and common key Cg are generated in step 905, 
and "F" which indicates how to deal with the group lock of the immediately precedent version 
is set nec e ssary "necessary" in step 906. This indicates that the group lock of the new version 
and the group lock of the previous version are-coexist. On the other hand, if the judgement in 
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step 904 is "add retroactively", the sequence proceeds to steps 907 and 908, Sg, Pg> and Cg of 
the group lock which is under changing changing, are set as Sg, Pg, and Cg of the changed 
group lock as they are, and F is set "unnecessary". This indicates that the group lock of the 
previous version is replaced completely with the group lock of the new version. Next, in step 
909, the group private key Sg is encrypted by use of the common key Cu to generate C G (S G ), 
further Cg is encrypted by use of the public key P\ii of the member including the added 
member to form an arrangement of P M i (Cg) having the label LM corresponding to P M i as an 
index. 

[0169] Next, a new changing right holder is set in step 910, a pair of a private key 
and a public key of the changing key is generated in step 911, and the private key of the 
changing key is encrypted by use of the public key of the new changing right holder in 
step 912. 

[0170] Further, the version number V is updated in step 913, respective data are 
unified in step 914, a signature is executed by use of the changing private key for the unified 
data in step 915 to generate the signature result Sig (Su), and the data is further unified 
including the signature result in step 916. A signature is executed by use of the changing 
private key Su of the version before changing to generate Sig (Su 1 ) in step 917, and the 
changed group lock is added to the trust lock list of the generator in step 918, thus the 
changing procedure of the group lock is brought to an end. 

[0171] If the change involves the deletion of a member in step 902, the sequence 
proceeds to step 919, and a member to be deleted is selected. Next, in step 920, whether the 
deletion involves "from now" or "retroactively" is judged. In other words, whether the 
condition is set so that the cryptographic information encrypted in the past can be decrypted 
or ftet-noLJs determined. If the judgement in step 920 is "NO", namely deletion from now, a 
group public key Pg, group private key Sg, and common key Cg are generated in step 921, 
and "F" for indicating how to deal with the group lock of the immediately precedent version 
is set necessary to "necessary" in step 922. This indicates that the new group lock of the new 
version and the group lock of the previous version coexist. On the other hand, if the 
judgement in step 920 is "delete retroactively", then the sequence proceeds to steps 923 and 
924, Sg, Pg, and Cg of the group lock which are now under changing are set as Sg, Pg, and Cg 
of the changed group lock as they are, and F is set "delete". Next, in step 925, the common 
key Cg is encrypted by use of the group private key Sg, further the common key Cg is 
encrypted by use of the public key P M i of the member who deletes the deleted member, and an 
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arrangement of P M i (Cg) having the label L M i corresponding to Pm* as an index is formed. 
The procedure in step 910 and following steps is the same processing as performed in the 
case of addition. 
[Application example] 

[0172] FIG. 18 shows an application example to which the cryptography system 
described in the example is applied. In FIG. 18, a plurality of clients 20, a file server 30, and 
a directory server 40 are connected to a network 10. The network 10 may be LAN or WAN. 
The file server 30 stores files such as documents . documents. The directory server 40 stores 
the group key. In this structure, for example, it is assumed that the client 20a stores a 
document in the file server 30. The client 20a extracts a desired group lock from the directory 
server 40, encrypts the document by use of the public key included in the extracted group 
lock, and stores the encrypted document 50a in the file server 30. When the client 20b wants 
to use the document, the client 20b extracts the document 50a from the file server 30 and 
extracts a desired group lock from the directory server 40 to acquire a private key, and 
decrypts the above-mentioned document by use of this private key. 

[0173] In this structure, in the case that the client 20a writes a signature on the 
document and stores the document 50b with a signature in the file server 30, the client 20a 
extracts a desired group lock from the directory server 40 to acquire a private key of the group 
lock, and writes a signature by use of the private key. The client 20b can verify the signature 
of the document by use of the public key of the group lock. 

[0174] In FIG. 18, the document of the file server 30 is the target to be processed by 
use of a group lock, but in the case that a mail server is used instead of the file server 30, the 
same encryption and decryption processing, and signature and verification processing are 
performed. 

[0175] In the example of the present invention described hereinbefore, for example, 
the generation or change of decrypting leel^ lock, may be executed in an encrypting apparatus, 
a decrypting apparatus, or other apparatus in the third station, and that is true for other 
structural elements used in this public key cryptography system such as various lock lists. 

[0176] In the present example, the target to be encrypted by use of a private key of a 
group/member is a common key consisting of a small number of bits (for example, 48 to 120 
bits) and an amount of encryption processing is small, therefore a group lock is generated 
promptly at a reduced cost even though the number of members is large. Further Further, the 
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private key of the group lock appears only once in the cryptogram encrypted by use of the 
common key, therefore this system is preferable for maintaining the confidentiality. 

[0177] In the present example, the private key of the group lock is encrypted by use 
of the common key, therefore a cryptogram is decrypted at a low cost in comparison with the 
case of encryption by use of the public key. The private keys Sg and Su are not directly 
encrypted by use of the common keys Cg and Cu but modified private keys (Sg 1 , Su) may be 
encrypted by use of Cg and Cu. The relation between the modified private key and the 
original private key is specified as described herein under. 
[Expression 4] 

SG-fG(Sc) 

Su f= fu(Su) 

wherein functions Fq and Fu are not one directional function. Therefore, the functions 
F G and Fu include inverse functions f G _1 and fu" 1 represented by the following equations. 
[Expression 5] 

S G =f G ^Sg') 

Su = fu ^Su 1 ) 

wherein modified functions fc and fu may be arbitrary functions as long as the inverse 
function exists and may be selected depending on the degree of required confidentiality. 

[0178] The system structured as described herein above prevents an attacker from 
acquiring the private keys Sg and Su even if the attacker decrypts the cryptograms Cg(Sg') 
and Cu(Su') to acquire Sg and Su 1 because the attacker does not know the inverse function 
fc" 1 andfu" 1 . 

[0179] Instead of the process in which the common keys Cg and Cu are encrypted 
by use of the public key of the group/member to generate cryptograms Pmi (Cg) and Pm^Cu), 
the process in which a plain document is added with a so-called seed to encrypt the document 
may be used. This is represented as described herein under. 
[Expression 6] 

P\li (CG+fp(PMi) 
P\li (Cu+f p (PMi) 

wherein f p is a function which generates some output when the public key used for 
encryption is entered, for example, a hash function such as MD 5 or SHA 1 (brand name) may 
be used. The public key is different for every member, therefore the encryption target is 
different for every member, as the result the safety is improved. 
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[0180] In the above-mentioned example, because the common key is encrypted by 
use of the public key of each member, a plurality of cryptograms of Cg appears in the group 
lock. Even in this case, no hint is given to an attacker because of the seed. 

[0181] In the above-mentioned example, the private key is encrypted by use of the 
common key and the common key is encrypted by use of the public key of the m e mb e r, 
howev e r oth e rwis e , member. However, an encryption scheme in which the private key is 
directly encrypted by use of the public key of the member may be used. In such scheme, the 
above-mentioned seed may be used. In detail, the group key is structured so that the private 
keys Sg and Su are included in P M i (Sg) and P M i (Su) encrypted by use of the public key P M i of 
the member (common keys Cg and Cu are not used). In this case, P M i (Sc+f P (PMi)) and 
PMi(Su+fp(Pivii)) with seed is included in the group lock instead of Pmi(Sg) and Pmi (Su). 

[0182] As described h e r e inb e for e , above, in the group type public key cryptography 
system of the present invention, the concept of group is introduced into the conventional 
public key cryptography system in which an individual is involved as a unit, the encryption 
processing of a plain document and the decryption processing of a cryptographic information 
by an arbitrary member who belongs to the geup -group, can be executed by using the group 
public key and group private key which are generated with involving a group as a unit, and 
the combination of the individual public key and individual private key. According to the 
structure, it is possible for members of the group to hold cryptographic information in 
common based on the membership between the members in the group while the strict 
confidentiality is maintained between the inside of the group and the outside of the group. 
The proper encryption processing and validation of the proper encryption by the member in 
the group are possible by use of the electronic signature by the member who belongs to the 
group. 

[0183] Further, in the group type public key cryptography system of the present 
invention, when a group lock is changed correspondingly to the change of a member who is a 
component of the group, a new pair of group public key and group private key is generated 
and registered at the time point when a member is changed, and the group lock can be 
changed easily correspondingly to the member change in structure. A signature written when 
the group lock is changed covers the entire arrangement of elements which constitute the 
group lock to thereby ensure the guarantee of the change. 

[0184] Because the common key consisting of relatively small amount of data is 
encrypted by use of a cryptographic key to generate a group lock, the load for generating a 
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group lock is small. The private key itself of the group lock which is encrypted by use of the 
common key appears only once in the group lock, no hint is given to an attacker. 



